Office 365 Multi-Factor Authentication with Microsoft Azure Active Directory

Body:

Editor’s note: The following post was written by Office 365 MVP Nuno Árias Silva.

Office 365 with Microsoft Azure Active Directory is an enterprise-level identity and access management cloud solution. Office 365 with Microsoft Azure Active Directory Premium, built on top of the core offering of Azure AD, provides a robust set of capabilities to empower enterprises with more demanding needs on identity and access management. In this article will show the features of the integration of Office 365 with this premium offering with Multi-factor authentication.

 

Multi-factor authentication increases the security of user logins when sign in for cloud in traditional scenario with just a user and a password. With Multi-Factor Authentication, users are required to acknowledge a phone call, text message, or an app notification on their smartphone after correctly entering their password. Only after this second authentication factor has been satisfied can a user sign in.

 

The advantages of using Azure Multi-factor authentication are:

  • More security, fewer hoops
  • Real-time monitoring and alerts
  • Deploy it on-premises or in the cloud
  • Works with Office 365, Salesforce and more
  • More protection for Azure administrators
  • Build it into your applications

 

The main differences between Multi-Factor Authentication for Office 365 compared to Microsoft Azure MFA are:

 

Multi-Factor Authentication
for Office 365

Microsoft Azure Multi-Factor Authentication

Administrators can Enable/Enforce MFA to end-users

Yes

Yes

Use Mobile app (online and OTP) as second authentication factor

Yes

Yes

Use Phone call as second authentication factor

Yes

Yes

Use SMS as second authentication factor

Yes

Yes

App passwords for non-browser clients (e.g., Outlook, Lync)

Yes

Yes

Default Microsoft greetings during authentication phone calls

Yes

Yes

Remember Me (Public Preview coming in June)

Yes

Yes

IP Whitelist (currently in Public Preview)

 

Yes

Custom greetings during authentication phone calls

 

Yes

Fraud alert

 

Yes

Event Confirmation

 

Yes

Security Reports

 

Yes

Block/Unblock Users

 

Yes

One-Time Bypass

 

Yes

Customizable caller ID for authentication phone calls

 

Yes

MFA Server – MFA for on-premises applications

 

Yes

MFA SDK – MFA for custom apps

 

Yes

 

How to configure and enable Azure Multifactor authentication on Office 365

The first steps to configure are:

 

  1. Sign-up for Azure subscription
    1. The first step is to sign-up for an Azure subscription. If you already have an Azure subscription, skip to the next step.
    2. Create a Multi-Factor Auth Provider
      1. In the Azure Management Portal create a Multi-Factor Auth Provider. https://msdn.microsoft.com/en-us/library/azure/dn376346.aspx#create
      2. Enable Multi-Factor Authentication on your users
        1. To enable Multi-Factor Authentication on your Office 365 users see https://technet.microsoft.com/en-us/library/7a9c56cf-72f1-4797-8e86-a9a2d9569ef6#enableuser
        2. Send email to end users to notify them about MFA
          1. For an example email template see https://technet.microsoft.com/en-us/library/7a9c56cf-72f1-4797-8e86-a9a2d9569ef6#emailtemplate
          2. Have a user sign-in and complete the registration process
            1. To sign-in the first time and complete the registration process see https://msdn.microsoft.com/en-us/library/azure/dn394276.aspx
            2. Configure app passwords for non-browser apps (such as …Outlook etc.).
              1. To configure app passwords see https://msdn.microsoft.com/en-us/library/azure/dn270518.aspx#apppassword

 

For advanced settings such as fraud alert, one-time bypass, and configuring your own customized voice messages see https://technet.microsoft.com/en-us/library/dn376348.aspx

 

After you have configured Multi-Factor Authentication on Azure integrated to Office 365 you can sign-in to Azure Portal and select Manage.

 

 

 

Here you can see some functions that are available.

 

  

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

After all these steps configured your organization is ready to leverage security with advanced features of Azure Multi-Factor Authentication

 

Azure Multi-Factor Authentication (Azure MFA) helps reduce organizational risk and enable regulatory compliance by providing an extra layer of authentication in addition to a user’s account credentials. For that purpose, it leverages for additional authentication a convenient form factor that the users already have (and care about): their phone. During sign in, users must also authenticate using the mobile app or by responding to an automated phone call or text message before access is granted. An attacker would need to know the user’s password and have in their possession of the user’s phone to sign in.  As a solution for both cloud-based and on-premises applications.

Multi-factor authentication is becoming the new standard for securing access and how businesses ensure trust in a multi-device, mobile, cloud world.

Final Note:

Microsoft is currently in the process of updating the Office 2013 client applications to support Multi-Factor Authentication through the use of the Active Directory Authentication Library (ADAL). These updates will be coming to various Office 2013 clients over the next serveral months.

This will mean that once these updates are available, app passwords will no longer be required for Office 2013 clients. However, until these updates are available, app passwords will still be required.

Currently the following Office 2013 clients no longer require the use of app passwords:

• Office 2013 for IOS

• Office 2013 for OS X

 

Introduction to ADAL based authentication

 

The ADAL based authentication stack enables the Office 2013 clients to engage in browser-based authentication (also known as passive authentication) where the user is directed to a web page from the identity provider to authenticate.

For additional information on these updates see: Office 2013 updated authentication enabling Multi-Factor Authentication and SAML identity providers here – http://blogs.office.com/2014/11/12/office-2013-updated-authentication-enabling-multi-factor-authentication-saml-identity-providers

 

Support Links:

 

Azure Multi-Factor Authentication

                http://azure.microsoft.com/en-us/services/multi-factor-authentication

 

Securing access to cloud services – Information for Administrators

                http://technet.microsoft.com/en-us/library/dn394289.aspx

 

Azure Active Directory Editions

                http://msdn.microsoft.com/library/azure/dn532272.aspx 

 

About the author

 

Nuno is a Manager at Capgemini Portugal – Microsoft Solutions Architect – MVP Office 365 at Capgemini (Microsoft Gold Partner) for Microsoft Office 365, Exchange, Private Cloud, Infrastructure, Active Directory, SQL and Auditing Microsoft Products, support at pre-sales and sales areas.  Specialist in Office 365, with a focus on Exchange, Virtualization, Azure and System Center: With more than 17 years’ experience in Datacenter Architectures, with Master in Information Technologies, Nuno has 30+ certifications (MCSE, MCITP, MCSA and MCTS among others). Experience in enterprise environments: He has worked several industries, including Aerospace, Transportation, Energy, Manufacturing, Financial Services, Government, Health Care, Telecoms and IT Services, Gas-Oil Company in different countries and continents. Assisted Microsoft in the development of workshops and special events and case studies, and as a speaker at several Microsoft events. Contributes with several articles and publications in various blogs and communities.  Follow him on Twitter @nunoariassilva 

About MVP Monday

 

The MVP Monday Series is created by Melissa Travers. In this series we work to provide readers with a guest post from an MVP every Monday. Melissa is a Community Program Manager, formerly known as MVP Lead, for Messaging and Collaboration (Exchange, Lync, Office 365 and SharePoint) and Microsoft Dynamics in the US. She began her career at Microsoft as an Exchange Support Engineer and has been working with the technical community in some capacity for almost a decade. In her spare time she enjoys going to the gym, shopping for handbags, watching period and fantasy dramas, and spending time with her children and miniature Dachshund. Melissa lives in North Carolina and works out of the Microsoft Charlotte office.

Source: http://blogs.msdn.com/b/mvpawardprogram/archive/2015/03/23/office-365-multi-factor-authentication-with-microsoft-azure-active-directory.aspx​

Published: 3/24/2015 11:26
]]>

%d bloggers like this: